Matthew Patton wrote:
>On what basis do you make this assertion? "secure" can mean a lot of
>things and a rubber stamp from NSA or it's equivalent doesn't mean a
>whole lot if buggy software can be trivially exploited. We could go on
>about "usable" but I'll let that one slide. In particular is the
>firewall configuration an EXACT match with the
>"certified/tested/evaluated" machine? NT has a C2 rating but it's not
>worth a damn. When was the last time you ran an NT box with no LAN, no
>floppy, and with a modified BIOS? Not exactly a useful product. Then
>again, assuming you duplicate this setup, place said machine nearish to a
>window. Electronic eavesdropping (for about $3000 and change) or outside
>observation does tend to degrade the usefulness of said rating does it
Your correct, "secure" is a nebulous term, but obviously you have not been
involved with a evaluation of an operating system if you believe that its a
rubber stamp. I worked on the NCSC evaluation of a UNIX operating system and
it took too long (several years) and was not a rubber stamp. Your point about
what the configuration is is quite true but Cyberguard has gone the extra mile
of getting a Network evaluation to provide a better security solution that
does include a network component. And you can buy the NightHawk in a TEMPEST
cabinet if your concerned about that.
>Ah, the GUI. Remote manageable too I think I recall. What to say when
>the X11 session gets hijacked? You sure the box isn't running a
>braindamaged X11 server? Can you attack the logging facility thru DOS?
>What happens when you bog the machine down with hundreds of connections?
>Does it run out of VM and spontaneously reboot? How about the logs
>filling up the disk? What happens when this occurs and an exploit is
>then launched? Do you still have an audit trail?
First, I know of no system that is completely immune to a concerted denial of
service attack. You can attempt to minimize the impact but with a general
purpose operating system, it may be virtually impossible to eliminate.
Second, unless your willing to expend the money to create a tamperproof box,
the granting of access to the machine is taboo.
>So they know how to check off all of the feature boxes on the report
>card. Anybody can and everybody does that.
Do you KNOW that the features are not provided? What feature do you believe
they are lying about?
>IMO ratings, be they NSA/NCSA or whatever aren't worth much and
>deffinately not a price premium. I take far more comfort in people
>banging away at the available stuff and fixing the problems.
And what pray tell do you believe that the evaluations/testings are trying to
do? The purpose of these are to provide a degree of comfort that someone
other than the vendor has looked is varying degrees of detail at the
implementation of the software/hardware combination.
>Additionally, you really believe the vendor (or reviewer for that matter)
>went thru every single line of code specifically looking for possible
>exploits? Get real.
Have you been involved in the evaluation process? I have. No, we didn't go
thru every single line of code but we tried to get complete coverage and did a
analysis of the data flow and looked at the access control mechanisms in
great detail and looked at privileged processes to verify there correct
operation and in those programs we did indeed look at every line and reviewed
the libraries. That some people attempt to slide thru an evaluation, I have
no doubt but I'd like to believe that that is the exception rather than the
>All the ratings do is study the protection scheme and bless it as logical
>and OK at least in theory. Then with various degrees of persistance they
>try to prove you can't get around said protection. Holes and stack smashes
>by way of poorly written C and resolver libraries and DOS via SYN etc.
While the NCSC did not require denial of service attacks, nor penetration
testing (for a B1 system), we as part of our own Q&A did do these things based
on knowledge gathered from various sources and our own experience.
>If they were we wouldn't be plagued with some of the problems we have now.
No product is completely immune no matter how much money or resources are
thrown at it. What you want is a system that provides a degree of security,
and some assurance that the vendor has made a best effort at 1) implementation
of a security mechanism, and 2) discovery/correction of known bugs.
Finally, there is the issue of do you need a secure operating system. While I
believe that a properly implemented firewall does not require a trusted base
to run on. A secure OS will help if the firewall code is compromised. It may
not be sufficient to protect the network but it may minimize the damage.
I'm not recommending either choice but I do believe that there is benefits
derived from having the system evaluated by an outside source. Is it worth
the money? The market has shown to date that they want security but don't want
to pay for the extensive review/testing/etc. required to develop and maintain
it. The expectation is that it should come for free..."Of course your
software is safe...right?"
---Michael J Coss
Lucent Technologies - Bell Laboratories mjcoss @